Skip to content
Passlock
Login Signup Docs

Summary and next steps

Passkeys don’t have to be intimidating.

Passlock abstracts registration and authentication into a simple process. Use the browser library to obtain a code, then send it to your backend for verification. Your backend then exchanges the code to obtain the passkey details. You’ve mastered the basics, but Passlock can do much more…

Relying Party ID (rpId)

Section titled “Relying Party ID (rpId)”

Passkeys are resistant to phishing attacks because they’re bound to a specific hostname/domain. A passkey registered to legit.com can’t be presented to evil.com, even if the user wants to do so. Exactly which hostname a passkey can be presented to is determined by the Relying Party ID and origin.

Testing for browser support

Section titled “Testing for browser support”

Most browsers now support passkeys, although some capabilities such as programmatic passkey deletion, updates, and pruning are limited to newer browsers. Don’t assume a function call will succeed, check for any errors. Alternatively use helper functions such as isPasskeySupport, isPasskeyDeleteSupport, isPasskeyUpdateSupport, and isPasskeyPruningSupport to preemptively test for browser support.

JWT verification

Section titled “JWT verification”

The examples in this quick start guide use the code exchange flow. Whether you use the server library, or make the call directly, ultimately you’re making a network call to verify the passkey. An alternative to code exchange is local id_token (JWT) verification. This avoids the need for a network call as the JWT is verified locally.

Local user re-authentication

Section titled “Local user re-authentication”

Passkeys include a concept known as user verification which allows the device to re-authenticate the user locally (typically through Face ID / Touch ID) before presenting the passkey.

Updating device passkey managers

Section titled “Updating device passkey managers”

A user might change their account username or email address. You’ll likely want to update the passkey(s) in their local passkey manager. Otherwise they’d need to sign in using their “old” username.

Patterns and best practice

Section titled “Patterns and best practice”

Passkeys can be used as a primary authentication strategy (replacing passwords), as an alternative login mechanism, or as a secondary authentication factor. Please see the authentication patterns guide

Tenancies

Section titled “Tenancies”

Passlock includes multiple isolated tenancies. The development tenancy has some special characteristics to improve the developer experience. Learn how it differs from your staging and production tenancies.